After using Security Onion (standalone architecture) for approx 1 year in my home network with 1gbit/s Internet, here is my takeaway notes: - 32GB RAM is way better than 16GB - If possible, the monitor network card should be at least 2.5 gbit/s, if all the devices on the network using 1 gbit/s interfaces. - I use port mirroring on my MikroTik CRS326-24G-2S+ switch to send all the network packages to the monitor interface - Intel NICs are better for the monitor interface than e.g. Realtek NICs
I used this as part of my capstone project for my bachelor's. It was really nice to have visual representations for all the traffic and alerting for threatening/malicious behavior on the network. Really great to see you demoing this as well.
Also you may want to mention the most important server consideration is disk space. CPU and ram you can get by with easily but you can very quickly fill your disk especially if your doing full packet captures by default. My first SO server I tested with had a 4tb disk which I filled in less than a day….
Wow. Thank you so much. There’s absolutely nothing on yt if you search for network monitoring, maybe a few nems vids and how to set up elastic search, but nothing as comprehensive as this! 👊
So I think it would be interesting to to go over open source security architectures from multiple levels. So level one could be like an individual using something like clamAV. Level 2 could be an intrepid home labber or small business and what tools they could use. Level 3 could be more a medium business with dedicated IT and level 4 could be the full stack. Like what tools would you use in each level and why. The thing is that security is hard and what you use depends a lot on skill level as well as time you are willing to dedicate to it. There are a lot of security tools out there. Off the top of my head I can think of OPNSense, Security Onion, Wazuh, ClamAV, OSSEC, and OSSIM. Another added layer of complexity here is that because they are open source many of these tools use the same components. I think Suricata and Snort are used in multiple of these options here. Are they equivalent or even if OPNSense and security onion both use suricata do they use them in different ways where you can still get benefits out of using both?
Impressive content, Lawrence Systems. Looking forward to seeing your next upload from you. I smashed the thumbs up button on your video. Keep up the fantastic work! Your breakdown of Security Onion’s installation process was very thorough. How do you see the evolution of threat detection tools like Security Onion impacting the future of network security strategies?
So glad you did this video. I am going to go check out that video you mentioned in the video. I agree I don't think the TH-cam algorithm has been fair to Security Onion. I can find 10 Wazuh videos to 1 Security Onion. Thanks for making this video.
Hey Tom! What you suggest to use to detect network attacks when you using cloudlfared tunnel...? Is there something which can show the attackers real IP in this situation? Do i even need to care about this or cloudflare block anything, and i can just forget to monitor? Im running a potatoe AMD E-350 (2) @ 1.60 GHz 3.76 GiB / 7.38 GiB (51%) Alpine linux with a known good ipv4+6 iptables ruleset.... running docker grav, immich littlelink, nextcloud, searxng, transmission, wordpress, watchtower, uptime kuma...Prometheus + Grafana + cAdvisor ?
It really depends on your use case. Previous versions of Security Onion actually included Wazuh but we've replaced it with the Elastic Agent as it's more integrated into our platform and is more suited for our use case of threat hunting and incident response.
![BOWKYLION - วิงวอน (ex-change) [Official MV]](http://i.ytimg.com/vi/cLdnZWDaO-w/mqdefault.jpg)
After using Security Onion (standalone architecture) for approx 1 year in my home network with 1gbit/s Internet, here is my takeaway notes:
- 32GB RAM is way better than 16GB
- If possible, the monitor network card should be at least 2.5 gbit/s, if all the devices on the network using 1 gbit/s interfaces.
- I use port mirroring on my MikroTik CRS326-24G-2S+ switch to send all the network packages to the monitor interface
- Intel NICs are better for the monitor interface than e.g. Realtek NICs
Same here ;) agree 100%
Great video! This is a great foundational video for anyone looking to get more involved in InfoSec. Awesome showing!
Glad you enjoyed it!
I used this as part of my capstone project for my bachelor's. It was really nice to have visual representations for all the traffic and alerting for threatening/malicious behavior on the network. Really great to see you demoing this as well.
Man I’ve been a huge fan and long time user of security onion. It’s such a damn good tool. And it has enterprise support and Doug offers training.
Also you may want to mention the most important server consideration is disk space. CPU and ram you can get by with easily but you can very quickly fill your disk especially if your doing full packet captures by default. My first SO server I tested with had a 4tb disk which I filled in less than a day….
Wow. Thank you so much. There’s absolutely nothing on yt if you search for network monitoring, maybe a few nems vids and how to set up elastic search, but nothing as comprehensive as this!
👊
So I think it would be interesting to to go over open source security architectures from multiple levels. So level one could be like an individual using something like clamAV. Level 2 could be an intrepid home labber or small business and what tools they could use. Level 3 could be more a medium business with dedicated IT and level 4 could be the full stack. Like what tools would you use in each level and why. The thing is that security is hard and what you use depends a lot on skill level as well as time you are willing to dedicate to it. There are a lot of security tools out there. Off the top of my head I can think of OPNSense, Security Onion, Wazuh, ClamAV, OSSEC, and OSSIM. Another added layer of complexity here is that because they are open source many of these tools use the same components. I think Suricata and Snort are used in multiple of these options here. Are they equivalent or even if OPNSense and security onion both use suricata do they use them in different ways where you can still get benefits out of using both?
Great foundation for everyone starting out!
Love the Security Onion content. Please give us more! Maybe some BPF tuning tips for multiple VLANs.
This one is a banger. Thanks Tom
Impressive content, Lawrence Systems. Looking forward to seeing your next upload from you. I smashed the thumbs up button on your video. Keep up the fantastic work! Your breakdown of Security Onion’s installation process was very thorough. How do you see the evolution of threat detection tools like Security Onion impacting the future of network security strategies?
Thanks, and Security Onion is a great tool for people into security.
Would be good if you could do more if possible - anyway well done!
So glad you did this video.
I am going to go check out that video you mentioned in the video.
I agree I don't think the TH-cam algorithm has been fair to Security Onion. I can find 10 Wazuh videos to 1 Security Onion.
Thanks for making this video.
Glad you found it helpful!
Hey Tom!
What you suggest to use to detect network attacks when you using cloudlfared tunnel...? Is there something which can show the attackers real IP in this situation? Do i even need to care about this or cloudflare block anything, and i can just forget to monitor?
Im running a potatoe AMD E-350 (2) @ 1.60 GHz 3.76 GiB / 7.38 GiB (51%) Alpine linux with a known good ipv4+6 iptables ruleset.... running docker grav, immich littlelink, nextcloud, searxng, transmission, wordpress, watchtower, uptime kuma...Prometheus + Grafana + cAdvisor ?
Because the attacks would be happening on the cloudflare side that is where the data would need to come from.
This one or Wazuh? :)
Also more fan of wazuh
I am debating about doing a video on that as well, most of the popular videos on Wazuh are also sponsored by them.
We are using wuzah at work and was thinking about putting it on my home network. I think I'll switch it to SO to learn a different platform.
It really depends on your use case. Previous versions of Security Onion actually included Wazuh but we've replaced it with the Elastic Agent as it's more integrated into our platform and is more suited for our use case of threat hunting and incident response.
@@LAWRENCESYSTEMS That would be great. I am a newbie looking into this topic and found wazuh, but now this one as well.